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Abstract 

In 2000, Galbraith and McKee heuristically derived a formula that estimates the proba- 
bility that a randomly chosen elliptic curve over a fixed finite prime field has a prime number 
of rational points. We show how their heuristics can be generalized to Jacobians of curves of 
higher genus. We then elaborate this in genus g = 2 and study various related issues, such 
as the probability of cyclicity and the probability of primality of the number of points on the 
curve itself. Finally, we discuss the asymptotic behavior for g — > oo. 

MSC 2010: 11N05, 11G10, 11G20 

1 Introduction and overview 

1.1 The Galbraith-McKee conjecture: elliptic curves 

In [T7], Galbraith and McKee studied the probability that a randomly chosen elliptic curve over 
a finite prime field has a prime number of rational points. They conjectured the following. For a 
prime number p > 3, let P\{p) be the probability that a uniformly randomly chosen integer in the 
Hasse interval [p + 1 — 2^p,p + 1 + is prime. Let /^(p) be the probability that the elliptic 
curve defined by y 2 = x 3 + Ax + B, for a uniformly randomly chosen pair (A, B) in the set 

Hab = { (A, B) e ¥ 2 p | 4A 3 + TIB 2 ^ } , 

has a prime number of rational points (including the point at infinity). 

Conjecture 1 (Galbraith-McKee |17L Conjecture A]) Define 

Cp= 3 n (T^Tp ) ■ n [ i+ (£+!)(£ -2)) ' 

£>2 v v ; 7 C\p-l,l>2 v v A ;/ 
where the products are over all primes I satisfying the stated conditions. Then 

lim {P 2 {p)/P 1 {p) - Cp) = 0. 

p— >oo 

The constant c v lies between 0.44010 and 0.61514. In general, the conjecture predicts that elliptic 
curves are about half as likely to have prime orders as one might expect. 

The study of the probability of primality is partly motivated by elliptic curve cryptography. 
For an elliptic curve over a finite field to be suitable as the underlying group for Diffic-Hcllman 
key exchange, its number of rational points is preferably prime (although small cofactors are often 
tolerated). In practice, a 'good' elliptic curve is often found by repeatedly counting the number 
of rational points on randomly chosen elliptic curves, e.g. using the SEA algorithm [31) . until a 
prime number is hit. The above conjecture predicts that this process works slightly worse than 
one would naively assume. 

Galbraith and McKee provided both experimental support and heuristic evidence in favor of 
Conjecture [T] Their main argument uses the Hurwitz-Kronecker class number formula, which 



counts bivariate quadratic forms up to equivalence. A second argument estimates the probability 
of primality by naively multiplying the expected probabilities of being coprime to 2, 3, 5, 7, 11, . . . 
For elliptic curve orders, these expected probabilities were devised by Lenstra [25J Proposition 1.14]. 
When taking the quotient of the resulting estimates for Pa(p) and Pi(p), one exactly finds c p . A 
reasoning of this kind had already been made by Koblitz [331 p. 160] in the dual setting where one 
fixes an elliptic curve over Q and reduces it modulo varying primes — a similar discussion on the 
case where one fixes a CM-curve of genus 2 over Q can be read in Weng's thesis [35J Section 5.2]. 
Galbraith and McKee called their second heuristics 'not very honest', however, due to subtleties 
reflected in Mertens' theorem. We will discuss these in Section [3] 



1.2 Genus 2 curves 

Nonetheless - and this may be thought of as an underlying meta-conjecture - these second heuristics 
work very well in practice, as is confirmed experimentally in Section ITTl Moreover, they seem more 
flexible towards generalizing Conjecture [1] to Jacobians of curves of higher genus, which have also 
been proposed for use in cryptography. The required analogues of Lenstra's theorem are provided 
by a recursive formula due to Achter and Holden [31 Lemma 3.2], which we turn into a closed 
expression in Section [5J 

In this article, we elaborate this for curves of genus 2, which is the most relevant case for 
cryptography. We derive the following conjecture. For a prime number p > 2, let P\{p) be the 
probability that a uniformly randomly chosen integer in the Hasse-Weil interval 

[(Vp-1) 4 ,(vp + i) 4 ] 

is prime. Let P2(p) be the probability that the Jacobian of the genus 2 curve defined by y 2 = f(x), 
for a randomly chosen polynomial f(x) in the set 

%6 = { f( x ) G F p [x] | f(x) square-free of degree 6 } , 

has a prime number of rational points. 

Conjecture 2 (see Section [6]) Define 

38 tt / £ 2 - £ - 1 \ T-r A f - £ 3 - i - 2 



II i- r/a-i^-ivJ • n 1 



v 45 1J -T (£ 2 - l)(£ - l) 2 J 11 r ' (£ 3 -2£ 2 -£ + 3)(£ 2 + l)(£ + l) 

£>2 v v n ' 7 £\p-l,£>2 V V 

where the products are over all primes £ satisfying the stated conditions. Then 

lim {P 2 (p)/P 1 (p)-c p )=0. 

We implicitly assume that Pi (p) ^ for all p, which is an open problem in its own (see [H Sec- 
tion 2.2] for a related discussion). The constant c p lies between 0.63987 and 0.79890. Summarizing, 
in genus 2 prime order Jacobians are also slightly disfavored, but to a lesser extent than in genus 
1. 



1.3 Averaging over p 

By averaging c p over all primes p, it becomes meaningful to measure the prime-disfavoring behavior 
by a single constant. For elliptic curves, this gives: 

Lemma 1 (see Section [3j For each prime p > 3, let c p be as in Conjecture^ Then 



£ 2 ~£~1 



* = 555 jg_ * ~ IJ l 1 " F!Fi? 1 * 7 



3<p<n 

Here, tt is the prime- counting function, and the product is over all primes £ 
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This confirms a constant obtained by Koblitz [23j p. 160] and subsequently verified by Balog, 
Cojocaru and David [5J Theorem 1]. In genus 2, the average reads: 

Lemma 2 (see Section [6]) For each ■prime p > 2, let c p be as in Conjecture^ Then 

~ lim J- V c nfl l 6 -2^ +3 £+l \ 

where again the product is over all primes t. 



1.4 Imposing a rational Weierstrass point 

Instead of using "Hq, we can choose f(x) uniformly at random from the set 

= { f(x) £ ¥ p [x] | f(x) monic and square-free of degree 5 } . 

This situation matches better with common cryptographic practice. However, it alters the notion 
of taking a random genus 2 curve, since here one imposes the existence of a rational Weierstrass 
point. As before, for each prime p > 2, let P\{p) be the probability that a uniformly randomly 
chosen integer in the Hasse-Weil interval [(y/p— l) 4 , (^/p + l) 4 ] is prime, but now let P2(p) be the 
probability that a random genus 2 curve, in the above sense, has a Jacobian with a prime number 
of rational points. 

Conjecture 3 (see Section [7]) Let c p be as in Conjecture [H Then 

Hm (p 2 (p)/P 1 (p) - ^cp) =0. 

The constant j§c p lies between 0.30309 and 0.37843, so prime orders become dramatically less 
probable. This is entirely due to the fact that the probability of having rational 2-torsion increases 
from || to | . In Section [71 we will illustrate why for odd £, the expected probability of having 
rational ^-torsion is most likely unaffected. 

Averaging j^c p over all primes p as in Section [O] gives approximately 0.32904 (i.e. yg times 
the constant of Lemma [TJ. 



1.5 The number of points on the curve itself 

We can also estimate the probability that the number of rational points on the curve itself, rather 
than its Jacobian, is prime. For each prime p > 2 and with f(x) chosen uniformly at random 
from Wq, let P 2 {p) be the probability that the nonsingular complete model of y 2 = f(x) has a 
prime number of rational points. Let P\{p) be the probability that an integer, chosen uniformly 
at random from the Hasse-Weil interval 

[p+l-4^,p+ 1 + 4^ 

is prime. For £ ^ p prime, define 

a e , p := #{{x,y) £ F* x (F, x \{-p}) | (x + y/x)(l +p/y) = p + 1}, 



Pl p := {£- l){t-t + 2)-a e , p - 



(£ 3 -l) ifp=-lmod 
otherwise. 



Conjecture 4 (see Section [8]) Defir 



38 n £■ /3 Lp 



45A1(^-1)(*2_1)(*_1) 



where the product is over all primes £ > 2. Then 



lim (P 2 (p)/P 1 (p)-c p )=Q. 

p—^oo 
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The constant c p lies between 0.79605 and 0.86548, with an estimated average (in the sense of 
Section H~3")) of s» 0.83376. When switching to instead of Hq, the leading factor || should 
be replaced by y|. The resulting constant c p lies between 1.00553 and 1.09323, with an estimated 
average of ~ 1.05317, so prime orders actually become slightly favored. 



1.6 The probability of cyclicity 

Using similar heuristics, one can estimate for each prime p > 2 the probability P(p, 2) that the 
group of rational points on the Jacobian of the curve defined by y 2 = f(x), with f(x) chosen uni- 
formly at random from Hq, is cyclic. This is done by considering for each prime £ the corresponding 
probability for the ^-torsion subgroup, and then taking the product. 

For elliptic curves, one recovers a formula that was proven by Vladut. Let P(p, 1) be the 
probability that the group of rational points on a randomly chosen elliptic curve over F p (as in 
Section [O]) is cyclic. Then: 

Theorem 1 (Vladut; [34, Theorem 6.1]) For each prime p, define 



° p = II ( 1 - J7WZ 



t\p-l x 

where the product is over all primes £ satisfying I \ p — 1 . Then 

lim (P{p, 1) - c p ) = 0. 

The constant c p is contained in [0.78816,0.83334], with an average (in the sense of Section [TT3"| of 
s» 0.81375. In genus 2, the same reasoning gives: 



Conjecture 5 (see Section [9]) For each prime p, defi 



ne 



151 -pr / 1 \ -pr £ s -£ 6 -£ 5 -£ 4 + £ 2 +£+l 



v 180 11 1 £(£ 2 - 1)(£ - 1) J 11 £ 2 (£ 4 ~l)(£ 2 -I) 

where the products are over all primes £ satisfying the stated conditions. Then 

lim (P(p, 2) - c p ) = 0. 

p— f oo 

The constant c p is contained in the interval [0.79356, 0.81918], with average value Cp~ ~ 0.80883. If 
we replace T-Lq by T-Lf, then the leading factor should be replaced by in which case the constant 
c p is contained between 0.58335 and 0.60218, with average value Cp~ s» 0.59457. 



1.7 Extension fields 

Fix a prime number p. Consider the alternative setup of finite fields ¥ p k of growing extension 
degree k over ¥ p . For g £ {1, 2}, let P\(k : g) be the probability that a uniformly randomly chosen 
integer in the Hasse interval [(\/p^ — l) 2s , (Vp^+ 1) 2s ] ^ s prime- Let P2(k,g) be the probability 
that the Jacobian of the (hyper)elliptic curve defined by y 2 + h(x)y = f(x), where the pair (h, f) 
is chosen from 

n g+h2g+2 = {(/, h) £ ¥ pk [x] x ¥ pk [x] | deg h < g + 1, deg/ = 2g + 2, 

y 2 + h(x)y = f{x) has geometric genus g} 

uniformly at random, has a prime number of ¥ p k -rational points. 
Then: 
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Conjecture 6 (see Section I10[) Let 

c^^-n^-^ip)- n ( i+ (£+i) 1 ^-2) ) ' 

f>2 v v ; 7 e\ P k -i,e>2 v ;/ 

where the products are over all primes £ satisfying the stated conditions, and fi p — ifp — 2 versus 
H P = 1 if p > 2. Then 

lim (P 2 (fc, l)/Pi(M) -c fc ) =0. 

If p > 2, the formula for c& closely matches the formula from c p from Conjecture [TJ with p fc — 1 in 
place of p — 1, and takes values between 0.44010 and 0.61514. For p = 2 we have Cfc = 0. In genus 
2, the estimate reads: 

Conjecture 7 (see Section I10p Let 

(£2 _i )(£ _ i )2 J ' %fc ll £>2 ^ + (P-2e2-i + 3)(P + l)(£+l)) ' 

where the products are over all primes I satisfying the stated conditions, and Mp = § ifp = 2 versus 
( J v = M tf p > 2 - ^ erl 

lim {P 2 (k,2)/P 1 (k,2)-c k )=0. 

Again for p > 2, the formula for c k matches the formula for c p in Conjecture [5] and takes values 
between 0.63987 and 0.79890. If p = 2 then c fc lies between 0.50516 and 0.63071. 

It is possible to average the above over k, where the result will depend on the multiplicative 
orders of p modulo the various i. Also, one can adapt Conjectures [S] and [71 and in fact any of the 
conjectures stated above, to the mixed case of just considering finite fields ¥ q of growing cardinality. 

1.8 Asymptotics for growing genus 

Instead of elaborating similar, increasingly complicated formulas for higher genera <?, we end with 
an analysis of the asymptotic behavior for g — > oo. This may be of interest to people studying 
analogues of the Cohen-Lenstra heuristics [TT] [23] in the case of function fields, though we will 
not push this connection. Note that due to computational limitations, the conjectures below are 
no longer supported by experimental evidence and rely purely on the conjectured validity of our 
heuristic derivation. 

For every prime number p > 2 and every integer g > 1, let P\(j>,g) be the probability that a 
uniformly randomly chosen integer in the Hasse-Weil interval 

[(y/p -If 9 , (VP + If 9 ] 

is prime. Let P-iip-, g) be the probability that the Jacobian of the genus g curve defined by y 2 = f(x), 
for a randomly chosen polynomial f(x) in the set 

'H.2 g +2 = { f(x) G ¥ p [x] I f(x) square-free of degree 2g + 2 } , 

has a prime number of rational points. 
Then we have: 

Theorem 2 (see Section [6]) lim P)ff ^.oo P2 [p, <?) = 0. 

Theorem^ holds because the probability of having rational 2-torsion tends to 1 as g — > 00. However, 
this is a hyperelliptic phenomenon. The limiting behavior becomes more interesting if instead one 
defines P%(p, g) as the probability that the Jacobian of a random genus g curve over ¥ p (e.g. chosen 
from the set 

M g = { curves of genus g over ¥ p } / =f p 

uniformly at random — note that M g is typically not well- understood) has a prime number of 
rational points. In this case, we expect: 



n 

1)^ n 
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Conjecture 8 (see Section [6]) Define 



" nr., co> ^iV*- 1 

where C is Riemann's zeta junction and the product is over all primes t satisfying the stated con- 
dition. Then 

lim (P 2 (p,g)/P 1 (p,g)-c p )=0. 

P,g->oa 

Again, we implicitly assume that Pi (p, g) is nowhere zero. The constant c p lies in the interval 

n 00 223 1 



nt a c(i) 'n5iiC(2j+i) 



C [0.63287, 0.793531 



In other words, the prime-disfavoring effect persists as the genus grows. It even becomes slightly 
more manifest than in genus 2. A more detailed analysis shows that the effect alternatingly 
strengthens and weakens as the genus becomes odd and even, respectively. As in Section 11.31 one 
can average c p over all primes p > 2, yielding a constant w 0.68857. 

Similarly, for every prime number p > 2 and every integer g > 1, let P(p,g) be the probability 
that the rational points of the Jacobian of the (hyper)elliptic curve y 2 = f(x), with f(x) picked 
from H.ig+2 uniformly at random, constitute a cyclic group. 

Then: 

Theorem 3 (see Section [9]) lim^g-^oo P(p, g) = 0. 

Again, this is a hyperelliptic phenomenon due to 2-torsion issues. If instead we define P(p, g) to 
be the probability that a curve chosen from M. g uniformly at random has a cyclic Jacobian, then 
we expect: 



Conjecture 9 (see Section [9]) Defi 



ne 



1 _ ~ £2j / 1 



nn^n 



n „((j) 11 11 pi -i 11 v w-i) 



i\p-l 3=1 

where C is Riemann's zeta function and the product is over all primes £ satisfying the stated con- 
ditions. Then 

lim (P(p,g)-c p )=0. 
Now the constant c p lies in the interval 



rij=i 2^-1 ■ il>2 (i + ni-i) 



n^iC(2j+i)' nr= 2 c(j) 



C [0.79352,0.82004], 



with an average (in the sense of Section [TTB")) of c p ss 0.80924. 

2 Common notions of randomness 

By a randomly chosen (hyper)elliptic curve of genus g > 1 over a finite field ¥ q of odd characteristic, 
we will usually mean the nonsingular complete model of a curve y 2 = f(x), where / is chosen from 

^2^+2 = { f(x) G ¥ q [x] | f(x) is square-free and deg/ = 2^ + 2} 

uniformly at random. 

Alternatively, one could take the curve uniformly at random from 

M^ yp = {(hyper)elliptic genus g curves over F g }/ =g . 



(i 



This randomness notion may be preferred from a theoretical point of view. It is fundamentally 
different from our first, in the sense that the map 

n 2g+2 M** : / H- [y 2 = f{x)\ 

is not uniform. For small q it does not even need to be surjective. Therefore, the probability of 
having a certain geometric property may change when moving from the one notion to the other. 
However, as q gets bigger and bigger, the change becomes negligible. More precisely, for 5^00 
(g fixed), the proportion of elements of A4^ yp having q(q 2 — l)(q — l)/2 pre-images in %2g+2 tends 
to 1. This can be elaborated following J27J Section 1]. Note that, despite the availability of a 
complete classification of (hyper)elliptic curves up to F g -isomorphism [27J Section 2], the set Ai^ yp 
is quite cumbersome to work with. 

Another setup, which is e.g. used in [2] Theorem 3.1], is to take / uniformly at random from 

^2g+2 — { f( x ) e Fq [re] | f(x) is monic, square-free and deg / = 2g + 2} , 

instead of W-2g+2- Again, this is different from either of the above notions. For small q, there may 
exist curves having a model in %2 g +2 that do not have a model in Hfg+2- But again, as q — > 00 (g 
fixed), the difference dissolves. Indeed, consider the set 

S 2g+ 2 = { (/, a, (3) G n 2g+ 2 xF,x F* | f(a) = /3 2 } . 

Then we have a map 

S 2g+ 2 -> U% +2 : (/, a, 13) ^ r 2 x 29+2 f(l/x + a), 

which respects the isomorphism class of the corresponding curve, and which is onto and q(q— l)-to- 
1. Therefore, taking / uniformly at random from H^g+i and using the / of a uniformly randomly 
chosen (/, a, /3) G S2 g +2 give rise to equivalent randomness notions. On the other hand, the map 

S 2g +2 -> "H2 S +2 : (/, a, 0) i-> / 

is asymptotically uniform, since every / G T-L2 g +2 will have q + 0(^/q) pre-images by the Hasse-Weil 
bound. This proves the claim. 

In Section[TU] we will allow char F 9 = 2 and use curves of the form y 2 + h(x)y = f(x) with (/, h) 
chosen from 

H g+ i, 2g+ 2 = {(f,h) e¥ q [x] xW q [x] \ degft<ff + l,deg/ = 2 5 + 2, 

y 2 + h(x)y = f(x) has geometric genus g} 

uniformly at random. Again, it is easy to show that if 2 { q, the completing-the-square map 
%g+i,2 3 +2 — > T~L2 g +2 is essentially uniform. 

In this article, we will always consider statistical behavior for q — > 00. In particular, the validity 
of all statements below involving randomly chosen curves in the sense of 'H.2 g +2 is preserved when 
switching to either of the above alternatives, and vice versa. Some statements involve error terms, 
so in fact a more careful analysis is needed; we omit the details. 

The picture does alter, however, when one takes / uniformly at random from 

7-t-2 g +i — { f € ¥ q [x] I f(x) is square-free and deg / = 2g + 1 } . 

While this setting is often preferred in practice, this influences the story as soon as g > 2, since it 
induces the existence of a rational Weierstrass point. We will study this effect in detail for g = 2 
in Section [7] On the other hand, writing 

%2g+i = { / e ^9 N I f( x ) i s monic, square-free and deg / = 2g + 1 } , 

the geometry-preserving map 

?Wi -> nfg+i : / ^ a 2 s.f(x/a) (where a = lc(/)) 
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is onto and (g — l)-to-l. Therefore, %2 fl +i and "HJJg+i can be interchanged in any probability 
statement below. If g — 1 and moreover 3 \ q, this also accounts for 

Hab = { (A, B)e¥ 2 q \ 4A 3 + 27B 2 ^ } , 

since the complcting-the-cube map Ti.^ — » Hab is uniform. 

Note that the sets %2g+2, ^2^+2^3+1,29+2, %2 ff +i,%2g+i,-Mg yP ' Hab depend on q, while this 
is not included in the notation for sake of readability. However, it will always be clear from the 
context which q is used (it will typically be the prime number p under consideration). 

3 Heuristic framework 

For prime numbers p > 3 and £ =^ p, let P(p, £) be the probability that the elliptic curve Eab 
defined by y 2 — x 3 + Ax + B, for a randomly chosen pair (A, B) in the set Hab, has £ dividing its 
number of rational points (including the point at infinity). 

Theorem 4 (Lenstra) There exist C\,Ci £ R>o, such that 



£ 2 -l 
1 



<Cil/^Jp if£\p-l and 

<c 2 e/Vp ife\ P -i 



£-1 

for all pairs of distinct primes p, £ with p > 3. 

Proof. See Proposition 1.14], to which we refer for explicit estimates of the Cj. ■ 

We can now describe and discuss in more detail Galbraith and McKee's second heuristic ar- 
gument supporting Conjecture [T] This is the type of reasoning behind all of our conjectures. Let 
£(p) be the largest prime for which £{p) < y/p+ 1. Let n be an integer chosen uniformly at random 
from the Hasse interval, and let r\ be #Eab(^p)- The aim is to estimate the ratio P2(p)/ Pi(p), 
where Pi{p) and P2(p) are as in Section fTTTl It can be rewritten as 

P(2 \ r] and 3 \ rj and 5 \ -q and . . . and £(p) \ 77) 
P(2 \ n and 3 \ n and 5 \ n and . . . and £(p) \ n) 

A first heuristic step is to approximate the above by 

P(2\ V )P(3\r 1 )P(5\r ] )---P(£(p)\r ] ) 
P(2 \ n)P(3 f n)P(5 \ n) ■ ■ ■ P(£(p) \ n) ' 

A second heuristic step is then to estimate P(£ \ rj) by 

and l-^_if^|p_l 



(following Theorem g]), and P(£ \ n) by 



1 

1 - -. 



One finds 



n(i-l) 

where the products are over all primes £ < £{p) satisfying the stated conditions. Rearranging the 
expression shows that 

lim (c p - c ) =0, 
where c p is the factor appearing in Conjecture [1] 
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It is tempting to validate the heuristics using an independence argument based on the Chinese 
Remainder Theorem (for n) and Howe's generalization of Lenstra's theorem (for 77, see |19j). 
However, this is too naive. By Mertens' theorem and the Prime Number Theorem 



n 



2e-i 
\ogp 



2e-^P 1 (j>), 



Here, 7 f=s 0.57722 is the Euler-Mascheroni constant (2e 7 
justihed, we should hence have that 



n 



1 - 



1 



n 

e\p-i,e<y/P+i 



1 - 



1.12292). For the heuristics to be 



P - 1 



With this in mind, the heuristics becomes very subtle: why would both naive estimates be equally 
wrong, as Galbraith and McKee call it? We cannot give a satisfying answer, but note the following. 
(i) The constant 2e -7 , which reflects the ignored dependency between being divisible by distinct 
primes, is accumulated in the tail of the product, with respect to which 77 and n behave much alike. 
Stated alternatively, the 'local ratios' P(£ \ T])/P(£ \ n) converge quickly to 1. By considering c p as 
the limiting product of these local ratios, rather than the ratio of two diverging products, one gets 
a more comfortable underpinning of the conjectured heuristics, (ii) The heuristics is supported 
by Galbraith and McKee's first argument in favor of Conjecture [TJ which uses different methods 
(namely, the analytic Hurwitz-Kronecker class number formula). (Hi) As far as computationally 
feasible, the conjectures that we obtain assuming this principle are confirmed by experiment in 
Section ITTI (iv) The constant from Lemma [1] provably appeared in the dual setting of a fixed 
elliptic curve over Q reduced modulo varying primes p, see [5j Theorem 1] . 
We end this section with a proof of Lemma [TJ 



Proof of Lemma [TJ First, let us give a heuristic derivation. 
Dirichlet's theorem, the proportion of primes p satisfying £ \ p 
Lenstra's result then gives 



P(£ I r,) 



1 



(. 



2 1 



Let I be a prime number. By 
- 1 is 1/(1— 1). Averaging out 

e -2 



l-XP-l 1-1 1-\ (P -!)(£-!) 



So 



P(£\r,) 



1 



1 



1) 



P(£\n)~~ (I 2 -!){£■ 

and applying the above heuristics yields the requested formula. 

To make the argument precise, pick any e > 0. It is easy to see that there is a uniform bound 
L such that \cp — c p \ < e/3 for all p - where c p is defined as in Conjecture [TJ but with the product 
restricted to primes £ that do not exceed L - and such that, similarly, 



n 1 



1 



{p-i){£-iy 



n 1 



1 



{p-i)(£-iy 



< e/3. 



However, by the Dirichlet equidistribution of primes, and because we are taking finite products 
now, there is an N such that n > N implies 



1 



7r(n) - 2 



£-1 



3<p<n t<L 

Combining the three bounds concludes the proof. 



(P - !){£- I) 2 



< e/3. 
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4 The random matrix model 



4.1 The genus 1 case 

Lcnstra's Theorem 0] can be understood from the following random matrix point of view. Let ¥ q 
be a finite field. Let N be a positive integer coprime to q, and consider the set 

GL 2 9) (Z/(N)) ={ Me GL 2 (Z/(A0) | det M = q } . 

This set is acted upon by GL 2 (Z/(7V)), by conjugation. To any elliptic curve E/¥ q , we can 
unambiguously associate an orbit of this action by collecting the matrices of qth power Frobenius, 
considered as an endomorphism of the Z/(7V)-module E[N] of iV-torsion points, with respect to 
all possible bases. Denote this orbit by Te- 

Take charF, > 3. For any union of orbits C C GL { 2 q) (Z/ (N)), let P(F E C C) denote the 
probability that the orbit associated to the elliptic curve y 2 = x 3 + Ax + B, where (A,B) G F 9 is 
chosen from Hab uniformly at random, is contained in C. 

Principle 1 There exist G\ G R>o and c G Z>o, such that 

P(T E aC) jp- <CiN°ly/q 

#GL^(Z/(iV)) 

for all choices of q, N , and C as above. 

We use the word 'Principle', because, to our knowledge, no complete proof of this statement has 
appeared in the literature. Nevertheless, it is commonly accepted and extensively confirmed by ex- 
periment. It is generally believed to follow from the work of Katz and Sarnak [501 Theorem 9.7.13]. 
A strategy of proof was communicated to us by Katz, and essentially matches with the approach 
of Achter [5] Theorem 3.1], who proved Principle [I] under certain mild restrictions on q and N 
(using c = 3). However, a more classically flavored proof of Principle [1] can presumably be obtained 
by applying Chebotarev's density theorem [T31 Proposition 6.4.8] to the function field extension 
¥ q (j) C F 9 ((jv)(j) C ¥ q ((jy)(X(N)), where is a primitive Nth root of unity, and the latter 
extension corresponds to the modular cover X(N) — > X(l), which is known to be defined over 
J^VCaO- This approach is currently being elaborated in [5]. 

Principle [T] indeed allows one to rediscover the asymptotics of Theorem [H by counting the 
matrices M £ GL^^F^) satisfying p + 1 — Tr(M) = 0. We leave this as an exercise. 



4.2 The general case 

Let F q and N be as before, and let ¥ q be an algebraic closure of ¥ q . Let C/¥ q be a complete 
nonsingular curve of genus g > 1 and denote by A — Jac(C) its Jacobian. Then qth power 
Frobenius defines an endomorphism of the 2g-dimensional Z/(iV)-module A[N] of TV-torsion points 
on A. Instead of considering all bases, we can make a more canonical choice by restricting to 
symplectic bases. We briefly review how this works. 

We employ the following notation and terminology. For any n G N, I„ denotes the nxn identity 
matrix, and denotes the 2g x 2g matrix 




The group 

Sp 2g (Z/(A0) = { Me GL 2g (Z/(A0) | t MQM = Q } 
is called the group of symplectic 2g x 2g matrices, and 

GSp 2g (Z/(A0) = { Me GL 29 (Z/(A0) | 3d e Z/(N) such that 'MOM = dil } 

is referred to as the group of symplectic similitudes. It is naturally partitioned into the sets 

GSp { 2 d J(Z/{N)) = { M G GL 29 (Z/(A0) | 'MOM = dtt } 
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with d ranging over (Z/(N)) X . An element of GSp^(Z/(iV)) is called d-symplectic. Note that 
1-symplectic and symplectic are synonymous. A classical trick using the Pfaffian shows that the 
determinant of a symplectic matrix is 1. Hence the determinant of a d-symplectic matrix is d 9 . 

Symplectic matrices pop up in the study of skew-symmetric, nondegenerate bilinear pairings 
on, in our case, 2<?-dimensional (Z/(JV))-modules. Such pairings are often called symplectic forms. 
For any choice of basis, one can consider the standard symplectic form (•, •), defined by the rule 

(v, w) — l v fi w. 

Given any symplectic form, one can always choose a basis with respect to which it becomes the 
standard symplectic form: such a basis is called a symplectic basis or a Darboux basis. When 
switching between two symplectic bases corresponding to the same symplectic form, the matrix of 
base change is symplectic, and conversely. 

Now for each primitive N th root of unity £jv G F g , the Weil pairing 

e N :A[N]xA[N]->(( N ), 

when composed with the (non-canonical) map 

(Cat) -► Z/(N) -.tif^i, 

is a skew-symmetric and nondegenerate bilinear pairing on -A[iV]. A corresponding symplectic basis 
Pi, . . . , P s , Qi, . . . , Qg is characterized by the properties 

ejv(P,Qj) = Cjv j > e N {P i ,P :j ) = e N (Qi,Qj) = 1 

for all i, j € {1, . . . , <?}, where Sij is the Kronecker symbol. Because of the Gal(F g , F 9 )-invariance 
of the Weil pairing, one has that 

e N {P°,Q°) =e N (P,Q)i 

where P, Q are arbitrary points of A[N] and a is gth power Frobenius. Then bilinearity implies 
that the matrix F of a with respect to Pi, . . . , P g , Qi, . . . , Q g satisfies 

t FQF = qfl, 

i.e. F is g-symplectic. 

As mentioned above, a different choice of symplectic basis yields a matrix obtained from F by 
Sp 2ff (Z/(A r ))-conjugation. Next, if is replaced by another 7V th root of unity ( J N , j € (Z/(7V)) X , 
then Pi, . . . ,P g , [j]Qi, . . . , \j]Q g is a symplectic basis, and the matrix of Frobenius is djFdJ 1 , 
where 

Since Sp 2g (Z/(A^)) and the matrices dj generate GSp 2g (Z/(iV)), we conclude that we can unam- 
biguously associate to C an orbit of GSp 2 ^ (Z/(N)) under GSp 2s (Z/(iV))-conjugation. 

We are now ready to formulate the hyperelliptic curve analogue of Principle [TJ Let charF 9 > 2 
and g > 1. For any union of GSp 25 (Z/(7V))-orbits C C GSp^ (Z/(iV)), let P(J> C C) denote 
the probability that the orbit associated to the complete nonsingular model of the (hyper)elliptic 
curve y 2 — f{x), where f{x) G F 9 [x] is chosen from %2g+2 uniformly at random, is contained in C. 

Principle 2 There exist Ci G M>o and c G Z>o, such that 



P(P/ C C) - 



< CxN c /yfq 



#GS P g ) (Z/(7V)) 

for all choices of q, N , and C as above, provided that N is odd as soon as g > 2. 
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The condition TV odd is due to the fact that we restrict to hyperelliptic curves, which as soon 
as g > 2 behave non-randomly with respect to 2-torsion - see Section [5] If instead we considered 
Jacobians of arbitrary curves (e.g. in the sense of Section ll.8[) . we expect that this condition can 
be dropped. 

Again we use the word 'Principle', because no complete proof of this statement has appeared 
in the literature to date. But again, this presumably follows from the work of Katz and Sarnak 
[2"UI Theorem 9.7.13], as elaborated by Achter [3J Theorem 3.1] under mild restrictions on q and 
N. In his case, the exponent reads c = 2g 2 + g. Achter's result is sufficiently general for many of 
our needs below. In particular, it is sufficient for generalizing Theorem U to (hyper)elliptic curves 
of arbitrary genus g > 1, which is done in Section [51 Also note that Achter uses "H^ +2 rather than 



5 Counting matrices with eigenvalue 1 

For use in Sections El and O we study the following general question: given a prime power q, a 
prime £ \ q, an integer g > 0, and d G {0, . . . , 2g}, what is the proportion £ , g, d) of matrices in 
GSpg^Ff) for which the eigenspace for eigenvalue 1 is d-dimensional? The lemma below transfers 
this question to the classical groups Sp 2s (F^) and GL g (F^). Let ^sp(£,9,d) be the proportion of 
matrices in Sp 2g (F^) having a d-dimensional eigenspace for eigenvalue 1, and let *Pgl(^, 5, d) be the 
corresponding proportion for the general linear group GL g (F|), where of course <Pgl(^, 9i d) = as 
soon as d > g. We include g — because of the recursive nature of the arguments below. In this, we 
assume that GSpo^(F^) = Sp (F£) = GL (F^) contains a unique matrix, and that its 1-eigenspace 
is 0-dimensional. In particular, £, 0, 0) = <}3sp(^ 0, 0) = *Pgl(^ 0, 0) is understood to be 1. 

Lemma 3 If q = 1 mod £. then ^(q,£,g,d) = tysp(£,9,d). If 1 ^ 1 mod then ty(q,£,g 7 d) = 
^ci.i' •</.</:• 

Proof. The first statement is a tautology. So assume that q ^ 1 mod I. We follow ideas of Achter 
and Holden [3j Lemma 3.1], which in turn build upon work of Chavdarov |10) . 

First, for r = 0, . . . ,g, let S(q,£,r,d) be the subset of GSp 2 * (F^) consisting of those matrices 
having characteristic polynomial (a;— l) r (ir— q) r and whose 1-eigenspace has dimension d. Similarly, 
let <Sgl(^, t i d) be the subset of GL r (F^) consisting of the matrices having characteristic polynomial 
(x — l) r and whose 1-eigenspace has dimension d. 

We will prove that 

(1) #S(q,£,r,d) = f|^y ' #S GL (£,r,d). 

By Jordan- Chevalley decomposition, every element B G S(q, £, r, d) can be uniquely written as 
the commuting product of a semisimple matrix B s and a unipotent matrix B u . Necessarily, B s € 
GSp^CF^) has characteristic polynomial (x — l) r (x — q) r and B u £ Sp 2r (F^) has characteristic 
polynomial (x— l) 2r . By [101 Lemma 3.4], two such matrices B s must be conjugated by an element 
of Sp 2r (F^ ). It follows that for fixed B s , the number of corresponding _B's in S(q, £, r, d) is always 
the same. Since one instance of B s is diag(l, 1, . . . , 1, q, q, . . . , q), whose centralizer in Sp 2r (Ff) 
equals 

f (m 



t {M~ 



M G GL r (F £ ) 



the number of possibilities for B s is (#Sp 2r (F^))/(#GL r (F£)), and for each B s there are <Sgl(^, r, d) 
appropriate choices for B u . The claim follows. 

Now, let T{q,£,g,d) be the set of matrices of GSp 2 ^(F^) having a d-dimensional 1-eigenspace, 
thus #T(q,£,g,d) = ¥(q,£,g,d) ■ #Sp 2g (F^). We will count the elements M G T(q,£,g,d) sepa- 
rately for each value of r, the order of vanishing at 1 of the characteristic polynomial /m of M. 
To M one can associate a decomposition of the standard symplectic space F^ 9 , (•, •) of the form 
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U2r © ^2(g-r)j where t/ 2r and VWg-r) are M-invariant symplectic subspaces of dimensions 2r and 
2(g - r), respectively, satisfying f M \u 2r = (x - l) r (x - q) r and f M \v Hg _ r) (1) ^ 0. Then 

J-^ #Sp 2o (F f ) 

^ #ap 2r (Jb£) • #bp 2(g _ r) (*«j 

where the first factor corresponds to the number of ways of decomposing F^ 9 , (•, •), the second 
factor counts the number of possible actions of M on /7 2r ., and the third factor counts the number 
of actions of M on V 2 ( g - r ) . We conclude 

(2) y(q,£,9,d) = E # fi g, ^f -V(qJ,9-r,0). 

#Sp 2r (F £ ) 

Along with 

g 

(3) ]T<PM,.M) = i, 

d=0 

one sees that, given the values #S(q,£,r,d), the recursive equation J2]) determines all yi(q,£,g,d) 
by induction on g: first one determines ?fi(q,£,g, 1), . . . ,^l(q,£, g, g), during which one should use 
that #S(q, £, 0, d) = as soon as d > 0, and then one uses §5§ to obtain i, g, 0). 
The statement then follows by noting that one similarly has 

along with the same initial conditions. Thus by ((TJ), the probabilities *P(<z, £, g, d) and *Pgl(^, g, d) 
are solutions to the same recursive equation. By uniqueness they must coincide. ■ 



Now for the classical groups Sp 2s (F£) and GL g (F^), these proportions have been computed 
before. Parts of the following result have been (re) discovered by several people (see e.g. [Tl 111)), 
but the first to obtain closed formulas for both *Psp(^,5,rf) and *Pgl(^, g, d) seem to be Rudvalis 
and Shinoda, in an unpublished work of 1988 [30] that was reported upon by Fulman [Mj [15] and, 
more recently, Lengler [M] and Malle [26] , 

Theorem 5 One has 

V ° h ^ 3 ' d) = #GL d (F,) ' S ^.#01^)' 

lim ?p GL (*, ff ,d) = —, TT (i-r j ) , 

%p( '' 3 ' d)= #S^^-g^-#Sp 2 ,(F,) ^ = ^^> 

1 ^^r^ 1 (-l) J '£ i2+ J 

% P (^ 5) rf) = ^ TrT1 s^^ L *i(* + D. #S p 2j .(F<) ^ = 2 * + 1 ««'4 

j— o J 

d(d+l) oo 

lim ^ Sp (^, ff ,d) = —j TT (1+^V 1 . 



Proof. Proofs can be found in [T¥J Theorem 6] (for everything on the general linear group), 
and in Corollary 1] (for the closed formulas for *}3 sp (£, 9,d)) and [26] Proposition 3.1] (for the 
limit of the latter). The proofs of Fulman [T?] [TS] use the cycle index method, for which, in the 
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symplectic case, the author assumes that £ is odd. However, in the meantime, the required theory 
on cycle indices has been extended to arbitrary characteristic [TB] . The original proof of Rudvalis 
and Shinoda |30] uses integer partitions and works in full generality. ■ 

Along with the well-known identities 



(4) 



#GL 3 (F £ )=^n^- 1 ) and #Sp 2g (F £ )=^ 2 ;Q(^- 1 ) 

3=1 3=1 



(see e.g. [HI Formula (2.9) and Theorem 3.2]), Lemma |3] and Theorem [5] yield explicit formulas 
for each ^(q, £, g, d). 

Since the work of Rudvalis and Shinoda cannot be easily accessed, for sake of self-containedness 
we include an independent computation of ^(9, £, g, d) for the case where d = 0. For the purposes 
of this article, this is the most prominent case, as we will see in Section [6] below. At the end of 
this section, we will study the convergence behavior for g — > oo in additional detail. 

Is is convenient to consider instead Q(q,£,g) = 1 — *$(<?, £, g, 0), the proportion of matrices of 
GSpSJ(F^) for which 1 does appear as an eigenvalue. We prove: 

Theorem 6 With notation as above, for g > we have 

JVIIa-^)- 1 if £\q-l, 
if £\q-l. 



(5) 



Q(g,4s) = < 



r=l j=l 
g r 



■EIK 1 -^)- 1 

r=\ j=l 



Proof. Our starting point is the following recursion formula due to Achter and Holden [31 
Lemma 3.2], the proof of which was our source of inspiration for Lemma [3] above: one has 



where 



HM,s) = E 



S(q,£,r) 



S(g,£,r) 
bi #Sp 2r (F,) 



(l-Q(q,t,g-r)) 



i 2r i{£\q-l, 

DrZ-r #Sp 2r (F f 



d£H if / > a _ i 

and Q(q, £, Q) = 0. Clearly, this determines all Q(q,£,g) uniquely. Using ([4]), this can be rewritten 



as 



(6) 



£ r 2 (i - om, . g - r)) n(^' - ir 1 



Q(q,£,g) = < 



r=l 
9 



i=i 



Y, £ {r " r)/2 (l - 0(g, £, g - r)) - iy 

(r=l j=l 



if £ | 9-1, 
if £{9- 1. 



We will prove by induction on g that ([5]) indeed solves the recursion. We only consider the 
case £ \ q — 1 (the necessary adaptations for the case £ | 9 — 1 are straightforward). Define 
P r := 1X^=1(1 — ^)~ 1 for r > 0. After rearranging terms and using the induction hypothesis for 
g — 1 one finds with some trivial computations that it suffices to prove 



9-1 



(7) 



P g = £^ ■ (-1)« -Pg+Y, ■ (-!) r ' Pr ■ Pi 



g-r- 



r=l 



We are left with showing that with 

k 



S k := Y T r where T r := (-l) r • £ LJ ^~ ■ P r ■ P, 



g-r, 
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we have S g = 0. This however follows from the observation that 

S k = (-l) fe • ■ P k ■ P g - k ■ (1 - e 9 )- 1 ■ (1 - l 9 ~ k ) 

which can be shown easily using induction on k. Indeed: then S g = because its last factor is 
zero. ■ 

Next, we study the limiting behavior of £}(q,£,g) as g — > oo. Define 

oo , i \ -i 
1 U - Q (lJ,9) if t\q-l, 

3=1 



3 = 1 



Then: 



Theorem 7 With notation as above, we have 

oc 

i-n(i 



lim Q(q,l,g) = < 



OO 



i-n(i 



if 

if £ f g — 1. 



Moreover, this convergence is alternating, that is, 



lim £{q,£,g) = 0, and (-1) 9 £ £, 5) > 

g->oo 



/or eac/i <? > 0. 

Proof. We make use of the well-known q-identity 

x(n-l) 



(8) 



E 

n>0 



q 2 x 

(q; q)« 



= n(i + ^q fc ) 



fc=0 



(see for example [TBI H.2]). Here (a;q)„ := YYj=o (1 — OQ') is the Pochhammer symbol. We point 
out the distinction between q (whose role is limited to separating the cases £ 1 q — 1 and £ \ q — 1) 
and the variable q used here. It is not hard to show that ([5]) is equivalent to 



E 



q r (~l) r 



if I I q - 1, 



^ (q 2 ;q 2 )r 

E ^ if ^9-1, 

r=l 



(q; q)r 



where q = £ 1 . 

If I j a; — 1, it immediately follows that 

00 r(r + 1 > - -, \ T 

(9) lim fl(g,l,g) = -^ q \ J 

g^oo ^ ( q; q) r 

where we used ([5]) with x — ~q. To show the convergence is alternating, we have by definition of 
£(q,£,g) and Theorem[Bl that 



OO OO * N 

i-n( i -^)= i -n( i -4) ! 



(10) 



£{q,i,g) = - J2 Il^-^r 1 ' 

r=s+l j=l 
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which tends to as g — > oo. We observe that consecutive summands in (fTO)) add to 

(-i) r _ (-i) r+1 (r +1 -2) 

- n;=i(#-i) - nK(#-i)" nS(^-i) 

Now r > 1 and ^ is prime so that (fTTj) is positive if and only if (— l) r+1 > 0, which holds if and 
only if r is odd. The sum in (|10[) begins with an odd index if and only if g is even or g = 0, which 
shows that {-l)a£{q,l,g) > 0. 

If £ | q — 1 , we conclude similarly that 

OO r 2 , , f OO 

inn (5 , = - E 7^ = 1 n d 

r— 1 v y n— 1 

oo 



i-n(iHr=i-n i4 



by replacing q by q 2 , and setting x = — q. To show the convergence is alternating, we have by 
definition of S(q,£,g) and Theorem[6l that 

oo r 

(12) S(q,l t g) = - J2 ^II^-^)" 1 ' 

'•=9+1 j=l 

which tends to as g — > oo. We observe that consecutive summands in (fT2")l add to 

(-£) r (-ey +1 _ {~£) r + 1 {£ 2r + 2 -i-£) 



(13) 



Again because r > 1 and £ is prime, we find that (fT3")) is positive if and only if (— l) r+1 > so by 
the argument given in the previous case when t \ q — 1, we have that (—l) 9 £(q,£,g) > in this 
case as well. ■ 



6 A generalization of Lenstra's theorem 

With Principle [5] in mind, generalizing Lenstra's Theorem U boils down to counting matrices 
M € GSpg(F^) having 1 as an eigenvalue. Indeed, the Jacobian of a curve C/¥ q will have a 
rational ^-torsion point if and only if Frobenius acting on Jac(C)[£] has a fixed point, i.e. an 
eigenvector with eigenvalue 1. 

More formally, for every positive integer g > 1, and for each pair of distinct primes p > 2 
and £, let P(p,£,g) be the probability that the Jacobian of the (hyper)elliptic curve y 2 = f(x), 
with f(x) G ¥ p [x] uniformly randomly chosen from H2g+2, has rational ^-torsion. Assume that £ 
is odd. Then according to Principle [2 there exist C% G M>o and c G Z>o, independent of p and £ 
(but depending on g), such that 

\P(p,£,g)-&{p,£,9)\<C x £ c /Jp, 

where Q.(p,£, g) is defined as in Section [5] above. This can be considered a proven statement: 
Achter's proof [2j Theorem 3.1] covers the case where ¥ q is a large prime field. Therefore, we 
conclude: 



Theorem 8 There exist C± G IR>o and c G Z>o, such that 

g r 



P(j ) ,£,g) + ^2i r l[(l-£^r 1 

r=l j=l 



p( P ,£,g)+j2U( i - ij y 1 

r=l j=l 



<c x eiy/v ift\p-i 

<C x £ c /^p if£\p-l 



for all pairs of distinct primes p, £ > 2. 
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Note once more that C\ and c do depend on 9. 

Theorem [3] is invalid foi 1 = 2: as soon as g > 2, hyperelliptic curves behave unlike gen- 
eral curves with respect to 2-torsion. But we can estimate P(p,2,g) using the following slightly 
simplified result of Cornelissen [T^l Theorem 1.4]: 

Theorem 9 (Cornelissen) Let f(x) € H2g+2- Then the Jacobian of the hyperelliptic curve de- 
fined by y 2 — f(x) does not have ¥ p -rational 2-torsion if and only if 

• (g odd) f(x) factors as a product of two irreducible polynomials of odd degree; 

• (g even) f(x) factors as a product of two irreducible polynomials of odd degree, or f{x) is 
irreducible itself. 

Using that a polynomial of degree d > 1 over F p is irreducible with probability approximately 1 /d, 
we obtain the following estimates. 

Corollary 1 If g is odd, then 



(9-l)/2 

P(p,2,g)^l- £ 



2j + l 2<? + 2-(2j + l) 



as p — > oo, 



9/2 



whereas if g is even, we have 

P(p,2,g)-H- , 29 - -Y—L- 
(2.9 + 2) 2 ^ 2.7 + 1 

In particular, we have 



(2 5 + 2)2 f^ 2j + l 2. 9 + 2 - (2j + 1) 



as p 



lim P(p,2, fl ) = l, 

g,p— > oo 



hence Theorem^ holds. 



Note again that for g 6 {1,2}, where the random matrix heuristics are assumed to apply (and in 
fact provably do for 1 — 2 — see Corollary [5] for g = 2, exercise for g = 1), we obtain P{p, 2, 1) = 2/3 
and P(p, 2,2) ps 25/46, which is the same as if we would have evaluated the second formula of 
Theorem [5] in 1 — 2. 

We are now ready to derive Conjectures [2] and [HI and to prove Lemma O 

Derivation of Conjecture [2J Let F p be a large prime field and let £ be a prime different from 
its characteristic p. From Theorem [6[ we see that the probability that the Jacobian of y 2 = f(x), 
with f(x) chosen from Hq uniformly at random, has rational ^-torsion is approximately 

/f/4 _ / _ i) P 2 — 2 

if^b-1 and -if^p-1. 



(£ 4 -l)(£2_l) " (£2 _!)(£_!) 

Note that because g — 2, these limiting probabilities are also valid for I — 2. Applying the heuris- 
tics from Section [3] then yields the requested formula for c p . One new point of concern is that 
£(j>), which should now be the largest prime for which £{p) < {^Jp + l) 2 , exceeds p. Therefore, we 
should take into account the contribution of I = p. But since we take p — > oo, it suffices that the 
probability of not having p-torsion tends to 1. This follows from Principle 151 (Section flu]) below. ■ 

Proof of Lemma [2j This is entirely analogous to the proof of Lemma [U ■ 

Derivation of Conjecture [SI Applying our heuristics, using the probabilities given in Theo- 
rem [71 we obtain 

_ ir n£i (i - h) n nr=i (i + ar 1 

Cp ii i _ i ii i _ i 

t\p-\ 1 t\p-\ £ 
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9 


Cp 


1 


0.50516617 


2 


0.69463828 


3 


0.68851794 


4 


0.68857163 


5 


0.68857149 


6 


0.68857149 


7 


0.68857149 



Table 1: Value of c p for growing genus, i.e. the constants appearing in Lemmata [T] and [2J and their 
higher genus analogues. 



Note that we also use these probabilities for £ = 2, since we expect the random matrix statement 
from Pinciplc [5] to apply in arbitrary level N (in the current, more general framework of selecting 
curves from M. g uniformly at random). Rearranging factors gives 

^=nn(i-|)nn(i-i)~'> 

i j=2 v / e\p-ij=i v 7 
from which the requested formula follows. ■ 

We remark that the average setups (Lemmata [T] and [2]) can be thought of as taking matrices at 
random from GSp 2g (F£), rather than GSp 2 ^(F^). 

It is interesting to note, using Theorem [71 that as the genus g grows, the average value 
oscillates, but converges rapidly to its limiting value. This is illustrated numerically in Table [1] Of 
all genera, elliptic curves disfavor prime orders to the biggest extent, and the Jacobians of genus 2 
curves disfavor prime orders to the least extent. 



7 The case of a rational Weierstrass point 

In many applications, often cryptographic, one restricts to genus 2 curves of the form y 2 = f(x) 
where f(x) is chosen from 

%™ = {/ € F g [x] | / monic and square- free, deg/ = 5} 

uniformly at random. Stated more geometrically, one restricts to genus 2 curves having a rational 
Weierstrass point. However, the latter description is not free of ambiguities. Namely, consider the 
notion of randomness in which f(x) is taken from 

?4 >0) = {/ € ¥ g [x] | / square-free, deg / = 6, 3a e F, : f(a) = 0} 

uniformly at random. Then this is fundamentally different from the H™-setting. To illustrate this: 
the probability that the Jacobian of a randomly chosen curve has even order tends to 4/5 = 0.8 
with respect to "H™, whereas it tends to 311/455 ~ 0.68 with respect to 'Hg >0 ' ) . Both statements 
will be proven below. 

The main conclusion of this section will be, however, that the distribution of Frobenius acting 
on any odd-torsion subgroup of the Jacobian is barely affected by this ambiguity. In Section 17.21 
we will show: 

Theorem 10 Let N be an odd positive integer, let q be an odd prime power coprime to N, 
and let % be either Ti™ , Hg >0 ' or TLq. For any subset C C GSp4^(Z/(iV)) that is closed under 



18 



GSp 4 (Z/(iV)) -conjugation, let P(J~f C C) be defined as in Section \4-S[ where now f is chosen from 
% uniformly at random. If Principle [H holds, then there exist C\ € R>o and c <E Z>q such that 



P(J>cC) ~ C 



#GSpi 9) (Z/(iV)) 
for all choices of q and C as above. 



< C\N C /^ 



For "H™, we remark that it is presumably possible to prove Theorem 1101 directly from Katz-Sarnak 
[2"01 Theorem 9.7.13], i.e. independently of Principle^ in the same way as a proof of Principle [2] is 
expected to work, using that the family corresponding to V." 1 has the largest possible monodromy 
group 20, 10.1.18]. 

As an immediate application, one obtains: 



Heuristic derivation of Conjecture EJ By Theorem [TU1 we only need to replace the factor 
|| , corresponding to the prime i = 2, by |. So the correcting factor is ■ 



7.1 Rational 2-torsion in genus 2 

Some material in this section has appeared in the literature before, see e.g. Section 2]. 

Lemma 4 Every non-trivial 2-torsion point on the Jacobian of a genus 2 curve over ¥ q (thought 
of as a divisor class) contains a unique pair of divisors {Pi — Pj,Pj — Pi}, where Pi and Pj are 
distinct Weierstrass points. 

Proof. It is obvious that Pi — Pj and Pj — Pi are linearly equivalent, and that they map to 
a 2-torsion point on the Jacobian. By Riemann-Roch, this point is non-trivial and two different 
pairs give rise to distinct 2-torsion points. Since there are 15 non-trivial 2-torsion points on the 
Jacobian of a genus 2 curve, and since there are 15 pairs in a set of 6 elements, the correspondence 
must be 1-to-l. ■ 

We immediately obtain (compare with Theorem [S]): 

Lemma 5 The Jacobian of a genus 2 curve over ¥ q defined by an equation of the form y 2 = f{x) 
with f G resp. f € has a non-trivial rational 2-torsion point if and only if f is reducible 
resp. f has a factor of degree 2. 

Proof. By Lemma [U there exists a non-trivial rational 2-torsion point if and only if there are 
Weierstrass points Pi and P2 such that {Pi,P 2 } is closed under gth power Frobenius. ■ 

This allows us to estimate the probability that the Jacobian has even order. 

Lemma 6 Let /J" e "H™, fe >0 ^ G %g >0 ' ) and fe € He be chosen uniformly at random. Let C™ , 
Cg >0 ^ and C§ denote the corresponding genus 2 curves. Then as q — > 00 

(1) P(#Jac(C*f 1 )(F, z ) is even) ->■ 4/5; 

(it) P(#Jac(C 6 )(F g ) is even) ->■ 26/45; 

(Hi) P(#Jac(C* ( ^ >0) )(F (? ) is even) 311/455. 

Proof. We leave this as an exercise, or refer to Table [2] below. ■ 

We will now describe the symplectic structure of the 2-torsion subgroup in more detail. Fix 
a genus 2 curve C/¥ q and let Pi,...,P 6 be its Weierstrass points. Following Lemma HI every 
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non-trivial element of Jac(C)[2] can be identified with a unique pair of distinct points {Pi,Pj}, 
and the group structure can be described by the rules 



for all k,£ G {1, . . . , 6}. 

We use this to prove the following. 

Theorem 11 Let q be an odd prime power. There exist Wo, ■ ■ • , We C Sp 4 (F2) such that for any 
curve C/¥ q of genus 2, any symplectic basis of Jac(C)[2], and any r <E {0, . . . , 6}, the matrix F of 
qth power Frobenius with respect to this basis satisfies 



The cardinalities of the W r are 265 ; 264, 135, 40, 15, and 1, respectively. 

Proof. There exist 6 subsets U C Jac(C)[2] that are maximal with respect to the condition that 
u\,U2 G U and u\ ^ u 2 implies 62(111,1*2) = — 1, namely 



Since N = 2, the choice of a primitive iVth root of unity is canonical, hence the Weil pairing 
defines unambiguously a symplectic pairing on Jac(C)[2]. After having fixed a symplectic basis, 
every symplectic matrix induces a permutation of {Ui, . . . , Uq}. In fact, this induces a group iso- 
morphism Sp 4 (F2) — > Sym(6). Indeed, it is easy to see that the above induces an injective group 
homomorphism, and surjectivity follows from #Sp 4 (F2) = #Sym(6) = 720. Then the sets W r are 
the preimages under this isomorphism of the set of permutations having exactly r fixed points. 
While the isomorphism depends on the choice of symplectic basis, the sets W r do not, because 
they are invariant under conjugation. ■ 

Pushing the argument a little further, one actually sees that the conjugacy class of Frobenius, 
which under the above group isomorphism corresponds to a conjugacy class of Sym(6), is completely 
determined by the factorization pattern of f{x), and conversely. Note that there are 11 conjugacy 
classes in Sym(6) = Sp 4 (F2), and that there are 11 ways to partition the number 6. Since the 
probability of having a certain factorization pattern is easily estimated using the well-known fact 
that a polynomial of degree d is irreducible with probability about 1/d, this unveils the complete 
stochastic picture of Jac(C)[2], as shown in Tabled 

Corollary 2 Principle^ holds for g = N = 2. 

Proof. This can be read off from the above table. The only additional concern is the bound on 
the error term, but this is easily verified. ■ 

7.2 Equidistribution in odd level 

In this section, we will prove Theorem [TUl Consider / G %6 >0 \ so that y 2 = f(x) defines a genus 
2 curve having a rational Weierstrass point (a, 0). Then the birational change of variables 



{P U P } + {P %1 P 3 } 
{Pi,Pj} + {PuPk} 

{Pi,pj} + {pk,pt} 





{P„P k } i£j^k 

{remaining two points} if {i,j} fl {k,£} = 0. 



The Weil pairing can be seen to satisfy 



e 2 ({P i ,P j },{P k ,P t }) = 



F G W r if and only if C has r rational Weierstrass points. 



Ui = { {Pi.Pj} I j G {1,2,..., 6} \ {1}} for i = 1, . . . , 6. 





transforms this into y 2 = f'(x) with /' G H5. This leads us to defining a relation 



(>o) 



xn 5 
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He 


njm 

n 5 


conjuj 


;acy classes of Sp 4 ( 


F 2 ) 




pattern 


prob. 


pattern 


prob. 


representant 


size 


order F^-r 


ank 


trace 


Q 


~ l 

~ 6 






/ 1 1 1 \ 
10 10 11 

1 1 1 1 1 J 


120 


6 


n 

u 


n 

u 










Voou/ 










5 1 


~ 1 

~ 5 


5 


~ i 

~ 5 


/0 1 1 0\ 
0010 
010 1 

U101/ 


144 


5 





1 


4,2 


~ I 

8 






/0 1 0\ 
f 1 1 

00 1 
\1 1 0/ 


90 


4 


1 





4,1,1 


~ 1 
~ 8 


4,1 


~ 1 
~ 4 


/ 1 1 1 \ 
110 11 

0101 
Villi/ 


90 


4 


i_ 


n 

u 


3,3 


18 






/l 1 1\ 
10 110 1 
0100 


40 


3 














M100' 










3,2,1 


~ I 

6 


3,2 


~ I 
6 


/ 1 1 \ 
111 
0101 

villi/ 


120 


6 


1 

X 


i 

j. 


3,1,1,1 


~ 1 
~ 18 


3,1,1 


~ 1 
~ 6 


1 11 

0010 
\0 1 1/ 


40 


3 


9 


i 
i 


2,2,2 


r~ 1 

~ 48 






/0 1\ 
( 10 10 1 
0101 1 


15 


2 


2 











v i o o o/ 










2,2,1,1 


r~ 1 

~ 16 


2,2,1 


~ 1 
~ 8 


/0 1 0\ 
f 10 1 
\ 1 J 
\0 1 1/ 


45 


2 


2 





2,1,1,1,1 


~ 1 

~ 48 


2,1,1,1 


~ 1 
~ 12 


/O 1 1 0\ 
1 10 1 
1100 


15 


2 


3 











Villi/ 










1,1,1,1,1,1 


~ 1 
~ 720 


1,1,1,1,1 


~ 1 
~ 120 


/l 0\ 
(01001 
0010 


1 


1 


4 









v o o o i / 











Table 2: Factorization patterns of f(x) G He,H™ and the corresponding Frobenius conjugacy 
classes. For instance, the pattern 3,1,1,1 means that f(x) G He factors into three linear polynomials 
and one irreducible cubic polynomial. The probability of this event is approximately | • ^ j = jg. 
The corresponding conjugacy class of Frobenius is generated by the depicted matrix and contains 
40 elements. Every such element has order 3 and trace 1, and its eigenspace for eigenvalue 1 is 
2-dimensional (i.e. dim Jac(C)[2](F 9 ) = 2). 



associating to / G H 6 all polynomials of H§ that can be obtained through the above procedure. 
However, this correspondence is not uniform, because of the number of choices that can be made 
for a, i.e. the number of rational roots of /. This is the reason why the notions of randomness 
with respect to H5 (or Hf) and H^ ^ are fundamentally different, as reflected in Lemma [51 
We are led to introducing the following notation. For r G {0, . . . , 6}, define 

H^ = {/ G F q [x] I / square- free, deg/ = 6, / has precisely r rational zeroes} 

so that 

(14) H,= \_\Ht ] and W$>°> = [J 

r— r— 1 

Similarly, for r G {0, . . . , 5} we introduce 

H^ = {/ G V q [x] I / square-free of degree 5, / has precisely r rational zeroes} , 

so that 

H 5 =\jH^. 

Note that H^ and H^ are empty. We implicitly omit these sets to avoid probabilities of the type 
lj. Similarly, we assume that q > 6 so that none of the other sets are empty. 

Now because of ([T4"]) . to prove Theorem [TU] for H 6 >0 \ it suffices to do so for each H 6 (r = 
1, . . . , 6). Similarly, by the discussion in Section[2]we can use H5 instead of H™, and it is sufficient 
to prove Theorem |TD] for Hjf (r = 0, . . . , 5) in this case. Finally, by the lemma below, the cases 
H§ can in turn be reduced to the cases H^ . 



21 



Lemma 7 Let Sq — {/ E H5 | /(O) 7^ 0}. For each r = 1, . . . , 6, the restriction of p to 



H, 



is uniform. 

Proof. This is immediate. ■ 

We are now ready to prove Theorem 1101 

Proof of Theorem 1 101 By the above discussion, it suffices to estimate the conditional proba- 
bilities 

P{Fj C C and / G n ( 6 r) ) 



P(F f cC\feuP) = 



P(f € Ht ] ) 



(r) 

for r = 1, ... ,6. By Theorem [TTJ / G Hq is equivalent to saying that the conjugacy class of 
Frobenius, acting on the 2-torsion points of the Jacobian of y 2 — f(x), is contained in W r . Denote 
this conjugacy class by .F/,2- Similarly, let Ff,2N denote the conjugacy class of Frobenius acting 
on the 2iV-torsion points. 

Since N is odd, we have a canonical isomorphism 

GSpi 9) (Z/(2iV)) <* GS P i g) (F 2 ) © GSpi ?) (Z/(iV)), 

allowing us to consider W r © C as a subset of GSpi 9) (Z/(2iV)). Because it is the union of a number 
of orbits under GSp 4 (Z/(2iV))-conjugation, there exist C\ G M>o and c G Z>o, such that 



(15) 



P{Ff,2N CW r ®C) 



#{W r ®C) 

#GS P i 9) (Z/(27V)) 



< dN c /y/q 



for all choices of q, N and C In particular, for N = 1 this gives 



(16) 

Since 

and 



( r) ^ #W r 

#GSp 4 ?) (F 2 ) 



< Ci/y/q. 



P{Ff,2N C W r © C) = C C and 7>, 2 C W r ) = P(>> C C and / G ^ r) ) 

#(W r © C) #W r #C 



#GS P i 9) (Z/(2iV)) #GS P i 9) (F 2 ) #GSpi' z) (Z/(7V)) 
inequality (1151) can be rewritten as 



#GSpi 9) (F 2 ) 



P(feH { ; } ) #GSpi 9) (Z/(7V)) 
It follows from (|16[) that there is a C 2 G K + such that 



< 



C x N c /^q 



P(/GK«) 



P(7> cC\feH 



#GS P i 9) (Z/(7V)) 
for all choices of g, iV and C. This ends the proof. 



< 



C 2 N c /y/q 
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8 The number of points on the curve itself 



Up to now we have focused entirely on the number of rational points on the Jacobian of a curve. 
However, the random matrix framework allows us to consider the number of rational points on the 
curve itself as well. 

For any pair of distinct primes p > 2 and £, and any t € We, we define the following constants: 



Be 
Cet 



:= #{(x,y)eWf x (F*\{-p» | (x + y/x)(l+p/y) = t}, 

~-£ A ifi = 0, 



t((£ -!)(£- 2) + a lAp ) + 







otherwise, 



:= lHi 2 -lf, 

:= £ 5 (£-l)(£ 3 -£-!) + 



f - £ 6 if t = 0, 
otherwise. 



Note that it is probably impossible to find a simple formula for ai,t,p since, in general, it describes 
the number of points on an elliptic curve over Wg (though it is clear that ae,t,p lies close to £). 
Let P(p, £, t) be the probability that the number of rational points on the nonsingular complete 
model of the curve C : y 2 — f(x), with f(x) chosen uniformly at random from %§, is congruent to 
p + 1 — t modulo I. 



Theorem 12 There exist C\ € M>o and c € Z>o, such that 

Ae,t, P + Bg + Ce.t 



P( P ,£,t) 



£ 4 ■ (£ 4 - 1) ■ {P - 1) 



for all p, £, t as above. 



Proof. Because the trace of a matrix is invariant under conjugation, it suffices by Principle [2] 
(proven for I odd by Achter [2j Theorem 3.1], and for £ = 2 in Corollary[2]) to count the number of 
matrices M in GSp^^F^) with trace t, and show that it equals Ag^.p + Be + Ce.t- Our main tool 
is the following Bruhat decomposition of Sp 4 (F^), proven by Kim [22]. Consider the group 



(17) 



P = 



A AB 
t A~ 1 



A, B e Wj , A invertible, B symmetric > , 



then we have the disjoint union 



Sp 4 (F, 



P U PaxP U Pa 2 P 



where 



<7l = 



and 



= n = 



o h 

-h o 



/ 1 0\ 
10 
-10 

V o ooi/ 

For r £ {1,2}, consider the subgroup 

A r = {MeP\ oyMov 1 e P }. 
Then one can find unique representatives for the elements of Pa r P by rewriting 

Pa r P = Pa r (A r \P), 

where A r \P should be seen as a set of representatives of the right cosets of A r in P. This implies 
that 

\Pa r P\ = \P\ ■ \A r \P\. 
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One can prove (see [22]) that |Ai\P| = £ 2 + £ and \A 2 \P\ = £ 3 ■ Taking a = I 4 , the Bruhat 
decomposition of Sp 4 (F^) implies the following partition of GSpjf^F^): 



2 

GSpi p) (F £ )= \_\d p Pa r P. 

We will do a component- wise count of the number of matrices having trace t. First we observe 
that 

\{M £ d p Pa r P\ Tr(Af) = t}\ = \ A r \P\ ■ \{M £ d p Pa r | Tr(Af) = t}\ 
for r = 1, 2. Indeed, every element of d p Pa r P has a unique representation of the form 

d p Ma r N 

with M £ P and N £ A r \P (where A r \P is thought of as a set of representatives of the right 
cosets of A r ). Using this representation, the map 

d p Pa r P -t d p Pa r : d p Ma r N ^ d p (d~ 1 Nd p M)a r 

is surjective and |A r \P|-to-l. Since d p Ma r N and d p (d~ 1 Nd p M)a r are conjugated, the observation 
follows. 

A matrix M £ d p P can be written as f q p.^f- 1 J with A £ GI^F^) and B £ ¥ 2x2 symmetric. 

First, we consider Mai, whose trace equals —(AB)i : i + A 2: 2 + (p ■ t A~ 1 )2.2, where the index 
notation refers to the corresponding entries. Fix A and let B vary. Then because {AB)\_\ — 
^1,1^1,1 + -Ai,2-E?2,i and not both Ai^ and Aip can be zero, we find that each trace occurs 
equally often. We conclude that traces are uniformly distributed in d p P<j\. Next, for Ma 2 we 
find that Tr(M<72) = — Tr(AP), which is uniformly distributed for all A not of the form (_?„§), 
and which is zero if A does have this form. Using the above formulas for |.A r \P| and using 
|GL2(Ff)| = £(£ 2 — 1)(£ — 1), we find that the number of matrices in d p Pu\ U d p P<72 having trace 
t equals Bg + C^f 

Finally we consider M £ d p P when Tr(M) = Tr(A) + Tr (pA^ 1 ). We write A = ( a c b d ) and let 
S = ad — be be its determinant. Clearly Tr(M) = Tr(A) ■ (1 +p/S). There are £(£ 2 — 1) matrices 
A with determinant —p, in which case this trace equals 0. So suppose that S ^ —p. When a = 
it is easy to see that we have uniform distribution, so we also suppose that a ^ 0. We can replace 
d by (6 + be) I a and again, if b ^ we will find uniformity. Finally the case 6 = gives as trace 

(a + S/a)(l+p/S), 

so that an easy calculation shows that the number of matrices in d p P with trace t equals Ag^_ p M 



Table [3] gives the respective probabilities for various small £. Note that the probabilities of 
C resp. Jac(C) having an even number of rational points are the same, despite the fact that 
these events do not coincide. Also note from Table [3] that trace is favored. This is a general 
phenomenon that can be seen as follows. It is not hard to verify that if 2t(t 2 — 16p) = mod £, 
the curve (x + y/x)(l +p/y) = t in the definition of a^t,p is reducible or has genus 0, in which case 
a e,t,p can be explicitly computed. It is equal to zero if £ = 2. For t = mod £ and £ > 2 we can 
compute the following estimate for P(p,£,t): 



£ 9 - £ 6 - £ 5 - t £ 3 - £ - 1 



if p is a square modulo £ and 



£ 4 (£ 4 - l){£ 2 - 1) {P-lf 

£ 9 ~ £ 6 - £ 5 + 1 _£ 3 +£-l 
£ 4 (£ 4 - l){£ 2 - 1) _ £ 4 - 1 

otherwise. Both probabilities are indeed larger than l/£. If p = t 2 /16 mod t and hence t ^ mod £ 
we obtain 

£ 9 - f - £ 6 - £ 5 - £ 4 £ b - £ 3 - £ 2 - £ - 1 



£ 4 {£ 4 - l){£ 2 - 1) {£ 4 -\){£ 2 -l) 
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Ti 1T1 o ri P \ t 


o 


1 








£ = 2 


1 


26 
45 


19 
45 










p mod £ \ t 





1 


2 






1 = 3 


1 


46 
128 


41 
128 


41 
128 








2 


58 
160 


51 
160 


51 
160 








p mod £ \ t 





1 


2 


3 


4 




1 


3094 
14976 


2969 
14976 


2972 
14976 


2972 
14976 


2969 
14976 


£ = 5 


2 


774 
3744 


743 
3744 


742 
3744 


742 
3744 


743 
3744 




3 


774 
3744 


742 
3744 


743 
3744 


743 
3744 


742 
3744 




4 


3094 
14976 


2972 
14976 


2969 
14976 


2969 
14976 


2972 
14976 



Tabic 3: Distribution of Frobenius traces modulo small £ for y 2 = f(x), with f(x) £ T-Lq chosen at 
random. 



if I = 1 mod 4 and finally when £ = 3 mod 4 we find 

£ 9 -f -£ 6 -£ 5 +£ 4 _ £ 5 -£ 3 -£ 2 -£+l 
£ 4 (£ 4 - l){£ 2 - 1) ~ (£ 4 -l)(^-l) ' 



Heuristic derivation of Conjecture [H The number of rational points on the curve defined 
by y 2 = f{x) is divisible by £ if and only if its trace t is congruent to p + 1 mod £ Thus, by 
Theorem 1121 the probability that this number of points is not divisible by £ can be estimated by 



(£ 4 -l)(i 2 -l)' 



where /3^ p is as in the introductory Section 11.51 Dividing by 1 — j and taking the product then 
gives the constant c p from Conjecture |4] The factor corresponding to £ = 2 can be read off from 
the table above (or from Table [5]). When switching from He to H5, following Theorem [TU] and 
using Table [5J we should replace the factor || by if • B 



9 The probability of cyclicity 

In this section, we will estimate the probability P(p, g) that the group of rational points of the 
Jacobian of the (hyper)elliptic curve C : y 2 = f(x), with f(x) chosen from ^2^+2 uniformly at 
random, is cyclic. This question is of a different type from what we have considered so far. We 
use the following heuristic reasoning. Note that Jac(C)(F p ) is cyclic if and only if Jac(C)[£](F p ) is 
cyclic for each prime £. The probabilities of the latter events can be estimated using Principle [2] 
for each £ ^ p, this is approximately 

where the notation from Section [S] is used. For a reason similar to the one explained in the deriva- 
tion of Conjecture [5] in Section we will omit the contribution of £ = p. Then the idea is to 
assume independence and naively multiply these proportions. As suggested by our experiments in 
Section ITTT this gives very accurate predictions for g £ {1,2}. In particular, an effect of the type 
reflected in Mertens' theorem seems absent in this non- relative setting. For g = 1, the heuristics 
confirm a formula proven by Vladut; [Ml Theorem 6.1]. 

Heuristic derivation of Conjecture [5J The formulas of Theorem [5] for g = 2 give 

C ^8_^_ £ 5_ £ 4^2 +£+1 

v(p,/,2,o)+«p(p,*,2,i)= , ^-yt*-i > ; p ' 

{ 1 - i { p- m -i) ii£\p-l. 
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9 


factor 


1 


0.81375191 


2 


0.80882586 


3 


0.80924272 


4 


0.80923674 


5 


0.80923677 


6 


0.80923677 


7 


0.80923677 



Table 4: Average conjectured probability of being cyclic for growing genus. 



Multiplying gives the conjectured formula. If we switch from Hq to H™, the leading factor y|i 
should be replaced by as can be read off from Table [2 ■ 

Proof of Theorem [3J This is analogous to the proof of Theorem [5] (see Corollary [T]). In fact, 
the original version of Cornelissen's Theorem^ [HI Theorem 1.4] is much stronger and describes 
the rank of Jac(C)[2](F p ) in terms of the factorization pattern of f{x). E.g., it suffices that f{x) 
has at least 4 distinct factors for the rank to be at least 2. From this, one verifies that for g — > oo, 
this rank will be 2 or larger with a probability converging to 1. ■ 

Heuristic derivation of Conjecture GO This is a combination of the derivations of Conjec- 
tures [5] and O the details of which we leave to the reader. ■ 

As in the case of primality, we list the average values (in the sense of Conjecture 1 1 . 3jl of the 
probabilities of cyclicity for growing genus in Table 2] Again one notices that the convergence is 
alternating (although we did not elaborate the details of a proof of this) and fast. 



10 Extension fields 

In this section, we briefly discuss how our heuristics can be adapted to the setting of finite fields 
F p k of growing extension degree, over a fixed prime field ¥ p . In this situation one can no longer 
neglect the contribution of the prime i = p. 

Let C/Fpfc be a complete nonsingular curve of genus g > 1 and, as before, denote by A — Jac(C) 
its Jacobian. One has 

A\p] = (w p y 

for some < r < g. We assume that if k is large and one picks C at random (e.g. from 

A4 g = { curves of genus g over ¥ p k } / =w pk 

uniformly at random), one has r = g with probability 1. This is reasonable, because the moduli 
space A g of abelian varieties of dimension g is stratified by rank, the stratum corresponding to 
r = g having the biggest dimension |28i Theorem 4.1]. We do not claim a proof of this assumption 
however, although for hyperelliptic curves this is a known fact [4l I29j. If r = g, then the matrix 
of p k th power Frobenius acting on A[p] with respect to any F p -basis is an element of GL g (F p ). 
Thus, in that case, we can unambiguously associate to C a conjugacy class of matrices of p k th 
power Frobenius, denoted by Tc- The expectation is that for every union of conjugacy classes 
C C GL g (Fp), the probability that Tc C C becomes proportional to #C (as k — > oo). 

Returning to hyperelliptic curves, let P(J 7 / > ? 1 C C) be the probability that the conjugacy class 
of Frobenius associated to the hyperelliptic curve y 2 + h{x)y = f(x), where (/, h) is chosen from 
T~L g +\,2g+2 uniformly at random, is contained in C. As explained in Section [5J for p > 2 one can 
assume h{x) = and f(x) chosen from %2g+2 if wanted. 
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Principle 3 Let g £ {1,2}. There exist C\ £ ]R>o and c £ Z>o such that 



P{?f,h c C) 



#GL 9 (F P ) 



for all choices ofp,k, and C as above. 

The assumption g £ {1,2} is a 'safety' measure, because we do not feel comfortable with the 
behavior of the hyperelliptic locus inside A g as soon as g > 2. In fact, even for g — 2 some 
prudence is needed with respect to Principle [3J the literature seems to contain much less evidence 
in its favor than in the cases of Principle [T] and Principle [5J 

In contrast, for g = 1 Principle [3J can be proven by applying the Hasse-Weil bound to the 
Igusa curve Ig(p), whose ¥ p k -rational points essentially parameterize pairs (E,P), where E/¥ p k 
is an elliptic curve and P £ E[p](¥ p k). A more elementary but longer proof is given below. We 
include it because we believe some intermediate statements are interesting in their own right (in 
fact, we develop a version of [3J3 Theorem V.4.1], which is on the Legendre family, for Weierstrass 
equations). First note that Principle |3J is trivial for p = 2 and for p = 3, in the latter case because 
quadratic twisting provides a bijection between the set of elliptic curves having trace 1 mod 3 and 
the set of elliptic curves with trace 2 mod 3. 

Theorem 13 Let p > 5 be a prime number, let k > 1 be an integer, and let t € {1, . . . ,p— 1}. Let 
St be the set of couples in 

S = Ha.b = { (A, B) £ {¥ pk f | 4A 3 + 27B 2 ^ 0} 



for which the trace T of the p k th power Frobenius of the elliptic curve given by y 2 — x 3 + Ax + B 



satisfies T = t mod p. Then #5 = p 2k — p K and 



p-1 



< 3p 



■2 k 



p k . 



Proof. We leave it as an exercise to show that #5 = p" 

For each (A, B) £ S, one has that T mod p equals the norm (with respect to ¥ p k /¥ p ) of the 
coefficient ca.b of x^ 1 in 

(x 3 + Ax + 3)^ 



(see the proof of [32j Theorem V. 4. 1(a)]). Lemma [8] below shows that for every 7 £ ¥* k , the 
polynomial ca,b — 7 is absolutely irreducible when A and B are considered to be variables. 

Now write S' t for the set of couples (A,B) £ (¥ pk ) 2 in which ca,b evaluates to an element 
7 £ ¥ p k \ {0} with norm t (regardless of the condition AA 3 + 27 B 2 ^ 0). There are 



p-1 



such 7's. For each of these the polynomial ca,b — 7 defines a plane affinc curve, by the claimed 
irreducibility. Its degree is bounded by d = 3(p — l)/2, hence its (geometric) genus is at most 
(d — l)(d — 2)/2, and the number of points at infinity is at most d. Therefore the set S' C S' t of 
couples satisfying ca.b = 7 is subject to 

|#s;-(p fe + i)| <{d-i)(d-2)^+d<\pi +2 

by the Hasse-Weil bound. Note that ca.b = 7 defines an affine, possibly singular curve, so some 
caution is needed when applying the Hasse-Weil bound. See [T3J Theorem 5.4.1] for the details. 
Summing up, and using (p k — l)/(p — 1) < 4p fc_1 (since p > 5), 



■2k 



- 1 



p-1 



45 2 
" 16^ 
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Because ff(S' t \ St) < p k and 5p k 1 < p k < j^p^ k+1 , we obtain 



p 2k _ p k 



< 



2k _ i 

#5 ( ' 



p-1 



p k - 1 /45 1 5 1 



p-1 - I 16 + 11 + 4 ' 55 ' 



p-1 

which ends the proof. 

Lemma 8 Let p > 5 be a prime number and let ca.b S !Fp[j4., B] be the coefficient of x p ~ l in 



(x^+Ax + B)^ e¥ p [A,B][x]. 



Then ca,b is homogeneous of (2 ,3) -weighted degree (p — l)/2, nonzero, and absolutely squarefree. 
As a consequence, for any 7 G ¥ p , the polynomial 



c A ,B-l e¥ p [A,B] 



is irreducible. 

Proof. One verifies that 



2 



2i 



from which it immediately follows that ca.b is nonzero and homogeneous of degree (p — l)/2 if we 
equip A and B with weights 2 and 3 respectively. It is easy to verify that A and B appear as a 
factor at most once. 

Let c' A b be obtained from ca,b by deleting the factors A and B when possible. Define ea (resp. 
Eb) to be 1 if a factor A (resp. B) was deleted, and otherwise. Then c' A b i s still homogeneous, of 
degree (p — 1 ) / 2 — 2^ — 3es . After dividing by a suitable power of A and considering the resulting 
polynomial in the single variable B 2 /A 3 , one verifies that c' A B splits (over ¥ p ) 

(19) c{B 2 - ai A 3 )(B 2 - a 2 A 3 ) ■ ■ ■ {B 2 - a r A 3 ) 

with r = g((p— l)/2— 2e,4 — 3e_e) and all c, a, 7^ 0. Each of these factors corresponds to a 
ji 7^ 0, 1728 for which the elliptic curve over F p with j-invariant ji is supersingular, and conversely 
all supersingular j-invariants different from and 1728 must be represented this way. Now the 
number of supersingular j-invariants different from and 1728 is precisely given by r (see the proof 
of jnH Theorem V.4.1(c)]). Therefore, all factors in (IT91 must be different, and in particular ca,b 
must be squarefree. 

Now let 7 6 and suppose we had a nontrivial factorization 

c A ,B-l = {F l +X l ){F 2 +X 2 ), 

where F\ and F 2 are the components of highest (weighted) degree of the respective factors. Then 
it follows that F\F 2 = ca.b, so F\ and F 2 cannot have a common factor. It also follows that 

(20) XxF 2 + X 2 F X + X X X 2 +7 = 0. 

Let X[ and X' 2 be the components of highest degree of X\ and X 2 respectively. Suppose deg X\F 2 > 
degX2.Fi. Then X[F 2 is zero, because it cannot be cancelled in ([20]) . But then X[ = Xi = 
and we run into a contradiction. By symmetry, we conclude that deg JTii 7 ^ = degX2.F1. But then 
X[F 2 + X 2 Fi = 0. So all factors of F\ must divide X[F 2 , which is impossible unless X[ — 0, and 
we again run into a contradiction. ■ 



We end this section with a derivation of Conjectures [6] and [3 To apply our heuristics, we need 
to generalize the material from Section |51 In analogy with the notation employed there, for any 
prime power q, any prime number £, and any integer g > 1, let P{q, I, g) be the probability that the 
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Jacobian of the hyperelliptic curve y 2 + h(x)y = f(x), with (/, h) chosen from 'H ff +i,2g+2 uniformly 
at random, has an F g -rational ^-torsion point. Let 0.(q,£,g) be the proportion of matrices of 

GSpg(F*) having 1 as an eigenvalue if £ j q, and the proportion of matrices of GL g (F^) if £ | q. 
Then according to Principles [2] and [3J if g € {1,2} we have that P(q,£,g) — > Q(q,£,g) as q — > oo. 
Recall from Theorem |B] that one has 



(21) 



r— 1 j— 1 

9 r 



r=l j=l 



if £ { g. However, the same formula applies for I \ q, because in case £ \ q — 1, the proportion of 
matrices of GSp^^) having 1 as an eigenvalue equals the corresponding proportion for GL 5 (F£) 
anyway, due to Lemma [3J In other words, one can blindly adapt Theorem [5] to this more general 
setting. Therefore: 



Heuristic derivation of Conjectures [6] and [3 This is a copy of the heuristic derivations of 
Conjectures [T] and [H ■ 



11 Experimental evidence 

The following tables present experimental data in support of Conjectures HH5] Table [5] lists t- 
torsion frequency data and c p values for elliptic curves, which is relevant to Conjecture [JJ and the 
corresponding LemmaQ] Table[B]lists similar data for Jacobians of genus 2 curves, see Conjectures^ 
and [3J and Lemma O Table [JJ lists c p values for the number of points on the curves themselves, 
related to Conjecture |H while Table [S] gives experimental trace distributions of genus 2 curves 
modulo £, see Table [3] above. Tables l9l and [TOl relate to Theorem [1] and Conjecture [5j concerning 
the rank of the Jacobians of curves of genus 1 and 2 (respectively) . Finally, Table [TT] supports 
Conjecture [5] on the case of extension fields in genus 1. 

The data in Tables I5HTU1 was obtained using the SMALLJAC library [33], based on the algorithms 
described in [3T]. Table [Til was obtained using the intrinsic Magma [7] point counting function. 
We conducted our tests by sampling random curves C over finite fields F p . We collected data both 
using fixed primes p, and for all primes in a given interval. For genus 1 we used p 10 12 and for 
genus 2 we used p « 10 6 (except for Table [7]) so that in both cases #Jac(C)(F p ) sa 10 12 . Each 
test with a fixed prime used a sample size of approximately 10 6 , while our interval tests used 10 2 
curves for each of at least 10 primes. In order to maximize the performance of the algorithms 
used to collect the data, we restricted our tests to curves of the form y 2 = f(x), where / is a monic 
polynomial of degree 2g + 1. Therefore, in genus 2, our experimental data should be compared 
to the "W^-analogues of the conjectures that deal with W 6 (which according to Theorem IT01 only 
affects the contribution of £ = 2, the necessary adaptations to which can be made using Table [5]). 
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V 




£ = 2 


I = 3 


e = 5 


£ = 7 


Cp 


10 


+ 39 


observed 


0.6654 


0.3749 


0.2507 


0.1664 


0.5492 






predicted 


A RRRT 

O.ooo { 


0.3/50 


a O K AA 

O.zoOO 


A 1 Cfi7 

O.lOO/ 


0.0004 


10 12 


+ 61 


observed 


0.6662 


0.5003 


0.2083 


0.1664 


0.4686 






predicted 


0.6667 


0.5000 


0.2083 


0.1667 


0.4646 


10 12 


+ 63 


observed 


0.6672 


0.3756 


0.2503 


0.1460 


0.5600 






predicted 


0.6667 


0.3750 


0.2500 


0.1458 


0.5642 


10 12 


+ 91 


observed 


0.6660 


0.4989 


0.2089 


0.1454 


0.4818 






predicted 


0.6667 


0.5000 


0.2083 


0.1458 


0.4794 


[10 n 


, 10 12 + 4 ■ 10 6 ] 


observed 


0.6666 


0.4374 


0.2396 


0.1631 


0.5044 






predicted 


0.6667 


0.4375 


0.2396 


0.1632 


0.5052 



Table 5: ^-torsion frequencies and c p values for C(F P ) using random elliptic curves C : y 2 = f(x) 
with / € M™. Sample size is 10 6 (or 10 2 for p ranging over the interval [10 12 , 10 12 + 4 • 10 6 ]). 



p 




I = 2 


£ = 3 


I = 5 


1 = 7 


c p 


10 6 


+ 3 


observed 


0.7991 


0.3616 


0.2395 


0.1628 


0.3426 






predicted 


0.8000 


0.3609 


0.2396 


0.1632 


0.3444 


10 6 


+ 37 


observed 


0.8000 


0.4376 


0.2393 


0.1626 


0.3056 






predicted 


0.8000 


0.4375 


0.2396 


0.1632 


0.3037 


10 6 


+ 81 


observed 


0.8001 


0.3619 


0.2066 


0.1632 


0.3571 






predicted 


0.8000 


0.3609 


0.2067 


0.1632 


0.3593 


10 6 


+ 121 


observed 


0.8003 


0.4376 


0.2059 


0.1637 


0.3197 






predicted 


0.8000 


0.4375 


0.2067 


0.1632 


0.3189 


[10 e 


, 2 ■ 10 6 ] 


observed 


0.8000 


0.3992 


0.2314 


0.1604 


0.3285 






predicted 


0.8000 


0.3992 


0.2314 


0.1602 


0.3290 



Table 6: ^-torsion frequencies and c p values for Jac(C)(F p ) using random genus 2 curves C : y 2 = 
f(x) with / e "H™. Sample size is 10 6 (or 10 2 for p ranging over the interval [10 6 , 2 • 10 6 ]). 





10 9 + 7 


10 9 + 9 


10 9 + 21 


10 9 + 33 


observed 


1.0162 


1.0738 


1.0892 


1.0945 


predicted 


1.0194 


1.0790 


1.0865 


1.0898 



Table 7: c p values for the number of points on random genus 2 curves y 2 — f(x) with / G 
%g\ Sample size is 10 6 . The deviations are larger here due to the shorter intervals (of width 
approximately 8 • 10 9 / 2 versus 8 ■ 10 6 and 4 • 10 6 in Tables [S] and [5] above) . 
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p 


t 




t = 


t = 1 


t = 2 


t = 3 


t = 4 


10 6 


+ 3 


2 


observed 
predicted 


0.4658 
0.4667 


0.5342 
0.5333 












3 


observed 
predicted 


0.3598 
0.3594 


0.3205 
0.3203 


0.3197 
0.3203 










5 


observed 
predicted 


0.2072 
0.2067 


0.1988 
0.1982 


0.1978 
0.1985 


0.1981 
0.1985 


0.1981 
0.1982 


10 6 


+ 37 


2 


observed 
predicted 


0.4653 
0.4667 


0.5346 
0.5333 












3 


observed 
predicted 


0.3628 
0.3625 


0.3185 
0.3188 


0.3186 
0.3188 










5 


observed 
predicted 


0.2070 
0.2067 


0.1982 
0.1985 


0.1981 
0.1982 


0.1983 
0.1982 


0.1984 
0.1985 


10 6 


+ 39 


2 


observed 
predicted 


0.4667 
0.4667 


0.5332 
0.5333 












3 


observed 
predicted 


0.3593 
0.3594 


0.3206 
0.3203 


0.3202 
0.3203 










5 


observed 
predicted 


0.2068 
0.2066 


0.1978 
0.1985 


0.1983 
0.1983 


0.1989 
0.1983 


0.1982 
0.1985 


[10 6 ,2- 10 6 ] 


2 


observed 
predicted 


0.4669 
0.4667 


0.5331 
0.5333 












3 


observed 
predicted 


0.3609 
0.3625 


0.3194 
0.3203 


0.3197 
0.3203 










5 


observed 
predicted 


0.2068 
0.2067 


0.1982 
0.1984 


0.1984 
0.1984 


0.1981 
0.1985 


0.1985 
0.1984 



Table 8: Trace distributions modulo I for random genus 2 curves y 2 
size is 10 6 (or 10 2 for p ranging over the interval [10 6 , 2 • 10 6 ]). 



f(x) with feHf. Sample 
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p 


£ 




rank 


rank 1 


rank 2 


10 12 


+ 39 


2 


observed 


0.3346 


0.4993 


0.1661 








predicted 


0.3333 


0.5000 


0.1667 






3 


observed 


0.6251 


0.3334 


0.0415 








predicted 


0.6250 


0.3333 


0.0417 






5 


observed 


0.7492 


0.2507 










predicted 


0.7500 


0.2500 








oo 


observed 




0.7988 


0.2013 








predicted 




0.7980 


0.2020 


10 12 


+ 61 


2 


observed 


0.3338 


0.4996 


0.1666 








predicted 


0.3333 


0.5000 


0.1667 






3 


observed 


0.4997 


0.5003 










predicted 


0.5000 


0.5000 








5 


observed 


0.7917 


0.1999 


0084 








predicted 


0.7917 


0.2000 


0083 






oo 


observed 




0.8263 


0.1737 








predicted 




0.8264 


0.1736 


10 12 


+ 63 


2 


observed 


0.3328 


0.4995 


0.1677 








predicted 


0.3333 


0.5000 


0.1667 






3 


observed 


0.6244 


0.3339 


0.0416 








predicted 


0.6250 


0.3333 


0.0417 






5 


observed 


0.7497 


0.2503 










predicted 


0.7500 


0.2500 








oo 


observed 




0.7953 


0.2047 








predicted 




0.7962 


0.2038 


[10 12 


,2 • 10 12 + 4 • 10 fi ] 


2 


observed 


0.3334 


0.4999 


0.1666 








predicted 


0.3333 


0.5000 


0.1667 






3 


observed 


0.5626 


0.4166 


0.0208 








predicted 


0.5635 


0.4167 


0.0208 






5 


observed 


0.7604 


0.2375 


0.0021 








predicted 


0.7604 


0.2375 


0.0021 






oo 


observed 




0.8138 


0.1862 








predicted 




0.8138 


0.1862 



Table 9: Rank frequencies for C(F p ) for random elliptic curves C : y 2 = f(x) with / <E "H™. 
Sample size is 10 6 (or 10 2 for p ranging over the interval [10 12 , 2- 10 12 ]). Rows with I = oo indicate 
maximum i'-rank over all primes £. 
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V 


I 




rank 


rank 1 


rank 2 


rank 3 


rank 4 


10 6 


+ 3 


2 


observed 





200113 


0.416313 


0.291528 





083775 





008271 








predicted 





200000 


0.416667 


0.291667 





083333 





008333 






3 


observed 





637964 


0.320212 


0.040254 





001548 





000022 








predicted 





639063 


0.319444 


0.039931 





001543 





000019 






5 


observed 





761095 


0.236804 


0.002101 
















predicted 





760417 


0.237500 


0.002083 














00 


observed 






0.589030 


0.317489 





085188 





008293 








predicted 






0.589471 


0.317443 





084733 





008352 


10 6 


+ 81 


2 


observed 





200794 


0.416446 


0.290857 





083593 





008310 








predicted 





200000 


0.416667 


0.291667 





083333 





008333 






3 


observed 





637636 


0.320698 


0.040107 





001533 





000026 








predicted 





639063 


0.319444 


0.039931 





001543 





000019 






5 


observed 





793657 


0.198090 


0.008186 





000067 





000000 








predicted 





793336 


0.198333 


0.008264 





000067 





000000 






oo 


observed 






0.586416 


0.320192 





085056 





008336 








predicted 






0.585781 


0.321073 





084794 





008353 


10 6 


+ 133 


2 


observed 





199300 


0.416997 


0.292156 





083233 





008314 








predicted 





200000 


0.416667 


0.291667 





083333 





008333 






3 


observed 





562514 


0.416732 


0.020754 
















predicted 





562500 


0.416667 


0.020833 














5 


observed 





760019 


0.237919 


0.002062 
















predicted 





760417 


0.237500 


0.002083 














00 


observed 






0.600296 


0.308148 





083242 





008314 








predicted 






0.600635 


0.307690 





083341 





008333 


[10 ( 


,2 ■ 10 6 ] 


2 


observed 





200039 


0.416528 


0.291761 





083320 





008353 








predicted 





200000 


0.416667 


0.291667 





083333 





008333 






3 


observed 





600830 


0.368047 


0.030337 





000777 





000009 








predicted 





600781 


0.368056 


0.030382 





000772 





000010 






5 


observed 





768609 


0.227739 


0.003637 





000016 





000000 








predicted 





768647 


0.227708 


0.003629 





000017 





000000 






oo 


observed 






0.594471 


0.313125 





084043 





008362 








predicted 






0.594567 


0.313040 





084050 





008343 



Table 10: Rank frequencies for Jac(C)(F p ) for random genus 2 curves C : y 2 = f(x) with / e "H™. 
Sample size is 10 6 (or 10 2 p ranging over the interval [10 6 ,2 • 10 6 ]). Rows with £ = oo indicate 
maximum £-rank over all primes I. 
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P k 




1 = 2 


£ = 3 


£ = 5 


£ = 7 


£=11 


Cfe 


3 26 


observed 


0.6669 


0.4999 


0.2501 


0.1666 


0.1000 


0.4387 




predicted 


0.6667 


0.5000 


0.2500 


0.1667 


0.1000 


0.4401 


5 18 


observed 


0.6667 


0.3748 


0.2501 


0.1458 


0.1000 


0.5659 




predicted 


0.6667 


0.3750 


0.2500 


0.1458 


0.1000 


0.5662 




observed 


0.6667 


0.3751 


0.2499 


0.1667 


0.1001 


0.5541 




predicted 


0.6667 


0.3750 


0.2500 


0.1667 


0.1000 


0.5523 


ll 12 


observed 


0.6665 


0.3749 


0.2083 


0.1457 


0.1002 


0.6020 




predicted 


0.6667 


0.3750 


0.2083 


0.1458 


0.1000 


0.6015 



Tabic 11: £-torsion frequencies and Cfc values for C(¥ p k ) using random elliptic curves C : y 2 = f(x) 
with / e Hf. Sample size is 10 7 . 
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